Stack Overflow
Stack Overflow

Questions tagged [kubernetes-security]

Questions related to Kubernetes security: from deploying cluster securely to running secure workloads on it.

116 questions
2
votes
1 answer

Failed to discover supported resources

I am trying to Create User With Limited Namespace Access. created namespace named as test and also created Group:programmers, User:frontend. Generated credentials for user:frontend by the help of following…
BSG
  • 673
  • 2
  • 13
  • 33
2
votes
1 answer

What is the recommended cert strategy for multi-master K8s clusters?

Is it atypical for multi-master K8s cluster deployments to use unique certs per service, per controller node? Most guides I've seen generate unique certs per service (API, Controller, Scheduler) and then use those certs for the eponymous service on…
akutz
  • 355
  • 4
  • 5
2
votes
1 answer

Decrypting kubernetes master api calls

Team, I am running kubectl from my laptop and captured Wireshark trace of the same. how could I decrypt the traffic hitting the api server? ex: we decrypt the http calls using private key of the web server. in k8s world, how would I decrypt the…
user9182249
2
votes
2 answers

How to setup an audit policy into kube-apiserver?

I've been reading about how to setup audit in kubernetes here which basically says that in order to enable audit I have to specify a yaml policy file to kube-apiserver when starting it up, by using the flag --audit-policy-file. Now, there are two…
jotadepicas
  • 2,389
  • 2
  • 26
  • 48
2
votes
1 answer

kubernetes kubesrpay configuration - disabling insecure port AND setting kube_api_anonymous_auth as false

by default kubespray cluster configuration has. kube_apiserver_insecure_port: 8080 # (http) # Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true #kube_apiserver_insecure_port: 0 #…
user1819071
  • 605
  • 1
  • 9
  • 17
2
votes
1 answer

No API token found for service account \"default\"

Not Able To Create Pod in Kubernetes Version: v1.10.0-beta.3 When I create pod on the master node I face the following error: kubectl create -f ./nginx-rc.yaml ERROR: No API token found for service account \"default\", retry after the token is…
wwd
  • 21
  • 1
  • 2
2
votes
2 answers

Understanding Kubernetes users

I am having trouble trying to understand the Kubernetes authentication model, specially what "users" are. Suppose I am on a computer, which is inside a kubernetes cluster. I want to do a request to the API server, using kubectl. So: - I need to have…
testTester
  • 2,371
  • 3
  • 18
  • 22
2
votes
1 answer

Limit access to a a kubernetes cluster on google cloud platform

We have created 2 different Kubernetes clusters on Google Cloud Platform, one for Development and the other for Production. Our team members have the "editor" role (so they can create, update delete and list pods) We want to limit access to the…
PhiloJunkie
  • 1,111
  • 4
  • 13
  • 27
2
votes
2 answers

kubernetes: Authentication to ui with default config file fails

I have successfully set up a kubernetes cluster on AWS using kops and the following commands: $ kops create cluster --name= --state=s3:// --zones=eu-west-1a --node-count=2 --node-size=t2.micro --master-size=t2.small…
pkaramol
  • 16,451
  • 43
  • 149
  • 324
2
votes
0 answers

How to use RBAC to control access to a type of secret resources?

In my k8s cluster, there are some secret resources which are listed below. $kubectl get secrets -n istio-system NAME TYPE default-token-4wwkb …
JimmyCYJ
  • 771
  • 1
  • 5
  • 12
2
votes
0 answers

Is it possible to customise the creation and storage of Kubernetes service account token?

Is it possible to customise how a Kubernetes service account is created? Once created, is it possible to specify how it is stored? I'd like to avoid storing the tokens as secrets if at all possible as I want them stored outside Kubernetes.
John
  • 10,837
  • 17
  • 78
  • 141
2
votes
1 answer

What is meaning of Kubernetes webhook user client-certificate config?

I need to implement a custom authentication and authorisation module for Kubernetes. This is going to have to be done via a web hook. The documentation for the authentication and authorisation webhooks describes a config file that the API Server…
John
  • 10,837
  • 17
  • 78
  • 141
1
vote
1 answer

Hashicorp vault: Multiple Applications and Multiple service accounts - prevent another app from using different svc account

I have a Vault deployment in my cluster that I use to store secrets. Additionally, I have created roles, policies, and a ServiceAccount. My applications will retrieve secrets from Vault using this service account. However, I am concerned that…
Anirudh Ramesh
  • 48
  • 4
  • 13
1
vote
2 answers

Unable to authenticate kubernetes cluster with the certificate-authority

I have a kubeadm cluster. I modified the .kube/config file by exporting out hardcoded certificate-authority-data value (the base64 of ca certificate) to another file called ca.b64.crt. I modified also the client-certificate and client-key by having…
Khaled
  • 345
  • 5
  • 14
1
vote
1 answer

Can we provide a User Name that needs to be run as by a pod/containers in kubernetes?

In Pod specification, there is an option to specify the user ID that needs to be run as by all containers podSecurityContext: runAsUser: Is there a way we can change the user name as well, the way we have for windows pods and…
Nish
  • 922
  • 13
  • 31
1 2 3
4
5 6 7 8